On Mon, Feb 27, 2012 at 09:40:46PM +0000, Dominic Hargreaves wrote:
> Source: liblocale-hebrew-perl
> Severity: normal
> Version: 1.04-1
> User: [email protected]
> Usertags: hardening-format-security hardening
> 
> With hardening flags enabled, this package FTBFS:
> 
> bidi.c: In function 'ShowInputTypes':
> bidi.c:1237:5: error: format not a string literal and no format arguments 
> [-Werror=format-security]
> bidi.c: In function 'ShowTypes':
> bidi.c:1248:5: error: format not a string literal and no format arguments 
> [-Werror=format-security]
> bidi.c: In function 'ShowLevels':
> bidi.c:1259:5: error: format not a string literal and no format arguments 
> [-Werror=format-security]
> cc1: some warnings being treated as errors

These functions are undocumented and not used by the module itself. They
are apparently inherited from a "Sample Implementation of the Unicode
Bidirectional Algorithm". While they are exported by the shared object
/usr/lib/perl5/auto/Locale/Hebrew/Hebrew.so, it doesn't seem likely
that anybody would use them. There are no reverse dependencies in Debian
to check.

Also, the functions don't seem to be actually vulnerable as
CharFromTypes[] is a fixed array that doesn't contain the percent sign,
and the format strings are made of from its elements. I don't claim
to actually understand the stuff, though.

Conclusion: no obvious security impact.
-- 
Niko Tyni   [email protected]



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to